A newly identified cyber campaign is shedding light on how threat actors are combining artificial intelligence with search manipulation to exploit trusted platforms. Known as “Pushpaganda,” this operation leverages AI-generated content and SEO poisoning techniques to infiltrate Google Discover feeds and redirect users into a network of scams and ad fraud infrastructure.
Researchers from HUMAN’s Satori Threat Intelligence team uncovered the campaign, noting that it primarily targets Android and Chrome users by abusing how personalized content is surfaced. Instead of directly delivering malware, the attackers manipulate content discovery systems to guide users toward malicious domains.
The strategy behind Pushpaganda revolves around creating believable, AI-generated articles that resemble legitimate news or trending stories. These articles are carefully optimized to increase their chances of appearing in Google Discover, a feature widely used by mobile users for curated updates. Because Discover is often perceived as a trusted source, users are more likely to engage with the content without suspicion.
Once a user clicks on one of these articles, they are taken to an attacker-controlled website. At first glance, the site appears legitimate, but it quickly shifts focus to persuading the user to enable browser notifications. This step is central to the campaign’s effectiveness, as it establishes a long-term communication channel between the attacker and the victim.
After notifications are enabled, users begin receiving a stream of misleading alerts. These messages are intentionally crafted to create urgency, often presenting fake warnings about legal issues, device security problems, or account breaches. The goal is to prompt immediate action, leading users to click without verifying the authenticity of the alert.
Each interaction feeds the campaign’s broader ecosystem. Clicking on these notifications redirects users to additional malicious domains, many of which are designed to generate advertising revenue or facilitate scams. By continuously driving traffic across these interconnected sites, the attackers are able to monetize user engagement at scale.
The scale of the operation is significant. At its peak, researchers observed approximately 240 million bid requests tied to more than 100 domains within a single week. While the campaign initially targeted users in India, it quickly expanded to other regions, including the United States, Canada, Australia, South Africa, and the United Kingdom.
One of the defining characteristics of Pushpaganda is its reliance on AI to accelerate content production. Automated tools allow attackers to generate large volumes of articles in a short period, covering a wide range of topics and audiences. This not only increases reach but also makes it more challenging for detection systems to keep up with the constantly evolving content.
Google has responded by implementing updates to reduce the visibility of such spam within its Discover platform. The company reiterated that using AI to produce content solely for manipulating rankings violates its policies. It also highlighted its ongoing efforts to improve spam detection and maintain the quality of content presented to users.
Despite these countermeasures, the campaign highlights a broader issue in the current threat landscape. Attackers are increasingly focusing on exploiting trust-based systems rather than traditional vulnerabilities. By embedding themselves within legitimate content ecosystems, they can operate more effectively and at a much larger scale.
In this context, external threat intelligence plays a crucial role. Platforms like IntelligenceX provide the ability to analyze domain infrastructure, track malicious activity, and identify relationships between different components of a campaign. This level of insight is essential for understanding how operations like Pushpaganda are structured and how they evolve over time.
With the help of IntelligenceX, organizations can detect clusters of suspicious domains and monitor their behavior across various sources. This enables a more proactive approach to threat detection, allowing security teams to identify risks before they escalate into large-scale incidents.
Another important aspect is brand protection. Campaigns like Pushpaganda often rely on deceptive content that may reference legitimate services or organizations to build credibility. By using tools such as IntelligenceX, companies can monitor whether their brand is being misused within these networks and take action accordingly.
The use of push notifications as a delivery mechanism is not a new concept. However, Pushpaganda demonstrates how this technique can be significantly enhanced when combined with AI-generated content and SEO manipulation. The result is a highly scalable system capable of reaching millions of users with relatively low effort.
This campaign also aligns with broader findings about large-scale ad fraud ecosystems. Previous investigations have revealed networks of thousands of domains functioning as “cashout” platforms, where fraudulent traffic is converted into revenue. These systems are often designed to persist beyond individual campaigns, allowing them to be reused by different threat actors.
One of the key challenges in addressing such threats is their resilience. Even when specific domains or applications are taken down, the underlying infrastructure often remains active. This makes it difficult to completely eliminate the threat, as new campaigns can quickly emerge using the same resources.
Because of this, continuous monitoring is essential. Identifying malicious domains early and tracking their activity over time can significantly reduce the impact of such operations. Platforms like IntelligenceX support this process by providing access to large-scale intelligence and enabling deeper analysis of emerging threats.
The Pushpaganda campaign serves as a clear example of how cyber threats are evolving. By combining automation, manipulation, and scalable infrastructure, attackers are creating operations that are both efficient and difficult to detect. As these techniques continue to advance, both users and organizations must adapt their strategies to stay ahead.
Ultimately, the campaign underscores an important reality: security today is not just about protecting systems, but also about understanding how information flows and how trust can be exploited within digital ecosystems.
Top comments (0)